BAS Cybersecurity Steps: Firewalls, Isolation, Patches
There are other BAS cybersecurity measures, including firewalls, isolation of the BAS, and applying patches to older systems. All can be useful, but facility managers need to understand the issues involved with each. Even if the BAS isn't extensively networked, experts recommend an old security standby, the firewall, as an excellent first line of defense. The key is deciding where to place it.
Riggio uses firewalls in a slightly unconventional way. Most people think of having firewalls at the periphery, he explains, but Macerich puts the firewalls at the center of their network. "It protects the most vital information," he says.
This kind of inside-out thinking, he says, allows Macerich to host vendors at the fringe of the company's network, and doing so allows the company to control vendor access. Another way to think of it is that Macerich doesn't build a fort with a heavily fortified outer wall; it builds layers of defense surrounding a heavily fortified "safe room" at the center.
"Even if the BAS isn't heavily networked, firewalls are nine-tenths of your protection," Riggio says. "Take a couple of hours with knowledgeable IT staff or vendors to build a proper firewall, even a small one, to give a bit of extra protection to a BAS."
Chapman says he relies on his Navy training in his current work. "Loose lips sink ships," he says, advising facility mangers to be conscious of providers, vendors, and staff, and also to have a complete understanding of what corporate networks a BAS system is tied in to.
Another traditional solution, one that Chapman uses to deliver one level of security, is mounting the BAS to a standalone DSL line. Chapman understands that it's one layer of security, but far from complete.
Sinopoli says that the most popular security approach for a BAS is to isolate the system by not letting it connect to any other networks. It can work well, but he also cautions users not to be lulled into a false sense of security. "The (BAS) at a minimum will have fire systems, HVAC, access control, elevators, and possibly lighting connected into it, potentially allowing access from one of those networks or one of the devices on those networks," he says.
Some experts also encourage use of security patches, particularly for organizations operating older systems. The advice, however, comes with a caveat.
System patches for older equipment are often custom-designed, since manufacturers traditionally produce security patches for the latest edition(s) of their software. Perhaps even more critical, attempting to patch known security leaks can potentially trigger automated system-scanning software to shut down components or technology that's integral to facility function. As such, experts recommend conducting a systematic diagnosis before deploying patches on an aging network infrastructure.
Applying patches still can be done, and might warrant consideration. Riggio recommends, as one of the first lines of defense, reading about the BAS used by the facility. The goal of this research, he notes, is to help facility managers understand how to best go about patching a system without disrupting it.
And that's vital, particularly for older buildings or older systems. Sinopoli notes that buildings with legacy systems are likely more vulnerable to attack. That's because the age of the software, browsers, peripherals, and more lead to a higher probability of missing software patches, especially considering that potential security breaches on older systems are well known to attackers, making an attack far easier.
Vigilance is the key, say Chapman and Riggio, who both combat cyberattacks regularly. "I've got to keep my equipment running," Chapman says, "and I have to keep people and information safe," he says.
Loren Snyder, a contributing editor for Building Operating Management, is a writer who specializes in facility issues. He was formerly managing editor of Building Operating Management.